The Security Easy Button. Block Threats in Real Time.

Menu

Following the Democratic National Committee’s (DNC) announcement of a breach in June 2016, a report by CrowdStrike detailed its findings about the threat actors behind the attack concluding it was the work of two different sophisticated Russian-based APT groups.

Share this:

Patchwork, so dubbed for its use of copy-and-pasted code from various online sources, is a targeted attack focused on obtaining documents from governments and government-affiliated organizations with dealings in Southeast Asia and the South China Sea. According to researchers from Cymmetria, Patchwork targeted personnel working on military and political assignments worldwide. They suspect that the attackers originate from India.

Share this:

There has been a recent surge of a malware most commonly known as Shedun or HummingBad that has infected around 10 million Android phones. Lookout discovered Shedun back in November of 2015, and found that the creators of the malware have made it quite easy to deceive their victims into unintentionally downloading the software. The user will go to the Google Play store and download what they believe is a legitimate app such as Facebook, Twitter, WhatsApp etc., but what they’re actually doing is installing the Shedun malware on to their phone.

Share this:

Indicators of compromise (IOC) are important breadcrumbs that let you know your organization may have been exposed to an attack. Learning what these indicators are and how to recognize them will help you to stay one step ahead of attackers and stop breaches before they happen, or enable you to stop attacks while they are still in the early stages.

Share this:

The new big thing this week is: Pokémon. After being out of the pop-culture spotlight for years, Pokémon Go has grabbed the attention (and wallets) of the masses. The app, which launched last week, quickly became a viral phenomenon, topping download charts in the United States, Australia and New Zealand. With current estimates showing that around five percent of all Android users in America have downloaded the app.

The wild popularity of Pokémon Go may have led to it becoming a victim of its own success. Server issues aside, the game instantly became a target for attackers keen to take advantage of the trend, and shortly following the official release, a malicious Pokémon Go app containing the DroidJack RAT (remote access tool) was released. Players eager to get their hands on the game—the primary targets for the attackers, whom struck in countries where the game had not been made officially available—downloaded the compromised version of the game from various sites that specialize in unofficial Android executable files (.APKs).

The infected version of the Pokémon Go app bypassed Android device security by requiring a sideload install. That is, the .APK file needed to be downloaded from a third-party website, and then copied into the device. This circumvented security conventions provided by Google's Play store, and allowed an easy vector for the attackers to exploit. Sideloading apps is not a new practice, Android users—particularly developers—have been able to do this since the devices were released. The reason for this loophole in security is to allow developers (and advanced Android users) to load applications that have not been signed by Google's Play store into their devices for testing or use. Unfortunately in this case it also allowed attackers to exploit the mass interest in Pokémon Go, a staged release cycle, and human anticipation to allow for malware to be installed.

The malware in question is an evolution of the SandroRAT software, developed by the same group that made the original DroidJack app. DroidJack actually started life as a legitimate application to allow family members to track one another. DroidJack has maintained similar functionality to its predecessor, and is behaviorally similar to Dendroid, another RAT.

While it may be that your network is secured from the outside, that may not apply to the inside. The reality today is that people bring their personal devices to work all the time. When those devices—be they smartphones, laptops, or any other device—are linked into your network, it opens the door to a malware infection. The only way to be truly safe is to stop threats from communicating with their command and control infrastructure, and immediate threat remediation upon detection.

Share this:

CryptXXX is a crypto-ransomware that debuted in April, 2016, and is said to be by the makers of Reveton, a very well-known police ransomware that terrorized victims at the beginning of the decade. Recently, CryptXXX has been spreading rapidly through phishing emails with malicious attachments, which lead to an attack chain using Neutrino and, previously, Angler exploit kits to ultimately download the ransomware.